Apr 02, 2024NewsroomBrowser Security / Data Security

Google has agreed to purge billions of data records reflecting users’ browsing activities to settle a class action lawsuit that claimed the search giant tracked them without their knowledge or consent in its Chrome browser.

The class action, filed in 2020, alleged the company misled users by tracking their internet browsing activity who thought that it remained private when using the “incognito” or “private” mode on web browsers like Chrome.

In late December 2023, it emerged that the company had consented to settle the lawsuit. The deal is currently pending approval by the U.S. District Judge Yvonne Gonzalez Rogers.

“The settlement provides broad relief regardless of any challenges presented by Google’s limited record keeping,” a court filing on April 1, 2024, said.

“Much of the private browsing data in these logs will be deleted in their entirety, including billions of event level data records that reflect class members’ private browsing activities.”

As part of the data remediation process, Google is also required to delete information that makes private browsing data identifiable by redacting data points like IP addresses, generalizing User-Agent strings, and remove detailed URLs within a specific website (i.e., retain only domain-level portion of the URL).

In addition, it has been asked to delete the so-called X-Client-Data header field, which Google described as a Chrome-Variations header that captures the “state of the installation of Chrome itself, including active variations, as well as server-side experiments that may affect the installation.”

This header is generated from a randomized seed value, making it potentially unique enough to identify specific Chrome users.

Other settlement terms require Google to block third-party cookies within Chrome’s Incognito Mode for five years, a setting the company has already implemented for all users. The tech company has separately announced plans to eliminate tracking cookies by default by the end of the year.

Google has since updated the wording of Incognito Mode in January 2024 to clarify that the setting will not change “how data is collected by websites you visit and the services they use, including Google.”

The lawsuit extracted admissions from Google employees that characterized the browser’s Incognito browsing mode as a “confusing mess,” “effectively a lie,” and a “problem of professional ethics and basic honesty.”

It further laid bare internal exchanges in which executives argued Incognito Mode shouldn’t be called “private” because it risked “exacerbating known misconceptions.”

The development comes as Google said it has started automatically blocking bulk senders in Gmail that don’t meet its Email sender guidelines in an attempt to cut down on spam and phishing attacks.

The new requirements make it mandatory for email senders who push out more than 5,000 messages per day to Gmail accounts to provide a one-click unsubscribe option and respond to unsubscription requests within two days.

Feb 23, 2024NewsroomPrivacy / Regulatory Compliance

The U.S. Federal Trade Commission (FTC) has hit antivirus vendor Avast with a $16.5 million fine over charges that the firm sold users’ browsing data to advertisers after claiming its products would block online tracking.

In addition, the company has been banned from selling or licensing any web browsing data for advertising purposes. It will also have to notify users whose browsing data was sold to third parties without their consent.

The FTC, in its complaint, said Avast “unfairly collected consumers’ browsing information through the company’s browser extensions and antivirus software, stored it indefinitely, and sold it without adequate notice and without consumer consent.”

It also accused the U.K.-based company of deceiving users by claiming that the software would block third-party tracking and protect users’ privacy, but failing to inform them that it would sell their “detailed, re-identifiable browsing data” to more than 100 third-parties through its Jumpshot subsidiary.

What’s more, data buyers could associate non-personally identifiable information with Avast users’ browsing information, allowing other companies to track and associate users and their browsing histories with other information they already had.

The misleading data privacy practice came to light in January 2020 following a joint investigation by Motherboard and PCMag, calling out Google, Yelp, Microsoft, McKinsey, Pepsi, Home Depot, Condé Nast, and Intuit as some of Jumpshot’s “past, present, and potential clients.”

A month before, web browsers Google Chrome, Mozilla Firefox, and Opera removed Avast’s browser add-ons from their respective stores, with prior research from security researcher Wladimir Palant in October 2019 deeming those extensions as spyware.

The data, which includes a user’s Google searches, location lookups, and internet footprint, was collected via the Avast antivirus program installed on a person’s computer without seeking their informed consent.

“Browsing data [sold by Jumpshot] included information about users’ web searches and the web pages they visited – revealing consumers’ religious beliefs, health concerns, political leanings, location, financial status, visits to child-directed content and other sensitive information,” the FTC alleged.

Jumpshot described itself as the “only company that unlocks walled garden data,” and claimed to have data from as many as 100 million devices as of August 2018. The browsing information is said to have been collected since at least 2014.

The privacy backlash prompted Avast to “terminate the Jumpshot data collection and wind down Jumpshot’s operations, with immediate effect.”

Avast has since merged with another cybersecurity company NortonLifeLock to form a new parent company called Gen Digital, which also includes other products like AVG, Avira, and CCleaner.

“Avast promised users that its products would protect the privacy of their browsing data but delivered the opposite,” said Samuel Levine, director of the FTC’s Bureau of Consumer Protection. “Avast’s bait-and-switch surveillance tactics compromised consumers’ privacy and broke the law.”

Jan 29, 2024NewsroomSurveillance / Data Privacy

The U.S. National Security Agency (NSA) has admitted to buying internet browsing records from data brokers to identify the websites and apps Americans use that would otherwise require a court order, U.S. Senator Ron Wyden said last week.

“The U.S. government should not be funding and legitimizing a shady industry whose flagrant violations of Americans’ privacy are not just unethical, but illegal,” Wyden said in a letter to the Director of National Intelligence (DNI), Avril Haines, in addition to taking steps to “ensure that U.S. intelligence agencies only purchase data on Americans that has been obtained in a lawful manner.”

Metadata about users’ browsing habits can pose a serious privacy risk, as the information could be used to glean personal details about an individual based on the websites they frequent.

This could include websites that offer resources related to mental health, assistance for survivors of sexual assault or domestic abuse, and telehealth providers who focus on birth control or abortion medication.

In response to Wyden’s queries, the NSA said it has developed compliance regimes and that it “takes steps to minimize the collection of U.S. person information” and “continues to acquire only the most useful data relevant to mission requirements.”

The agency, however, said it does not buy and use location data collected from phones used in the U.S. without a court order. It also said it does not use location information obtained from automobile telematics systems from vehicles located in the country.

Ronald S. Moultrie, under secretary of defense for intelligence and security (USDI&S), said Departments of Defense (DoD) components acquire and use commercially available information (CAI) in a manner that “adheres to high standards of privacy and civil liberties protections” in support of lawful intelligence or cybersecurity missions.

The revelation is yet another indication that intelligence and law enforcement agencies are purchasing potentially sensitive data from companies that would necessitate a court order to acquire directly from communication companies. In early 2021, it was revealed the Defense Intelligence Agency (DIA) was buying and using domestic location data collected from smartphones via commercial data brokers.

The disclosure about warrantless purchase of personal data arrives in the aftermath of the Federal Trade Commission (FTC) prohibiting Outlogic (formerly X-Mode Social) and InMarket Media from selling precise location information to its customers without users’ informed consent.

Outlogic, as part of its settlement with the FTC, has also been barred from collecting location data that could be used to track people’s visits to sensitive locations such as medical and reproductive health clinics, domestic abuse shelters, and places of religious worship.

The purchase of sensitive data from these “shady companies” has existed in a legal gray area, Wyden noted, adding the data brokers that buy and resell this data are not known to consumers, who are often kept in the dark about who their data is being shared with or where it is being used.

Another notable aspect of these shadowy data practices is that third-party apps incorporating software development kits (SDKs) from these data brokers and ad-tech vendors do not notify users of the sale and sharing of location data, whether it be for advertising or national security.

“According to the FTC, it is not enough for a consumer to consent to an app or website collecting such data, the consumer must be told and agree to their data being sold to ‘government contractors for national security purposes,'” the Oregon Democrat said.

“I am unaware of any company that provides such warnings to consumers before their data is collected. As such, the lawbreaking is likely industry-wide, and not limited to this particular data broker.”